With the introduction of the internet, and the unprecedented access it provides to users, all manner of service providers have steadily been moving towards the provision of online services. Online banking, commerce services, shopping, web-based email accounts, etc. are all commonplace in this present day and age.
The introduction and proliferation of wireless broadband infrastructure and services has since provided users with connectivity to the internet while on the move, expanding the use of online services. This has also provided the impetus for the development and introduction of a myriad of portable internet-capable devices by numerous manufacturers, ranging from laptop personal computers to mobile telephones with internet and data capability.
The development of such portable devices continues unabated, and in the past 10 years we have seen the introduction of a new generation of portable internet-capable devices known as Smartphone, which have continuously evolved and seen continuous increases in computing power and internet connectivity, which has further revolutionized the internet. The term Smartphone is generally used to refer to a mobile telephone which possesses advanced computing ability and internet connectivity, and Smartphones are now ubiquitous and very much part and parcel of everyday life.
With this new and unprecedented level of connectivity to the internet, however, comes the parallel and never ending task of data security, which not only includes securing web pages and online databases, but also ensuring that a user is able to securely access an internet-based application, particularly those with financial or commercial implications.
Since the introduction of online services through the internet, online service providers have been continuously dueling with unscrupulous parties seeking ways to gain illegal access to user accounts by means of identity theft, which basically involves stealing a user's personal online identity and password for a specific online service. Known methods used by these unscrupulous parties include phishing, pharming, key-logging and man-in-the-middle attacks.
Phishing refers to the process of tricking a user of an online service into believing that a fraudulent website (i.e., a spoof) created by an unscrupulous party, is an online service provider's genuine website, and subsequently revealing their personal online identity and password to the unscrupulous party.
In practice, a phishing attack will commence with an email with fraudulent content being sent to potential victims in the hope that some of the recipients will visit a fraudulent website that very closely resembles or mirrors the appearance of a genuine website. A victim is then tricked into inputting and submitting their user ID and password, which falls into the hands of the unscrupulous party.
Pharming is a more advanced technique of identity theft with the same objective as that of phishing. Instead of distributing fraudulent emails and exploiting user ignorance, pharming discretely diverts users who are trying to visit a genuine website to a look-alike fraudulent website where their identity will be stolen.
Key-logging is a technique used to steal user IDs and passwords when users submit these login credentials to the genuine website. This is usually accomplished by first infecting the user's personal computer or internet capable device with spyware or a Trojan Horse that records the keystrokes of the user. The recorded keystroke data will include the user ID and password frequently typed by the user, which will be periodically sent to the unscrupulous party.
A man-in-the-middle attack involves placing a so-called man-in-the-middle (MIM) between a user and a targeted online service provider's website. Typically, the MIM will relay information between a user and the online service provider's website to an unscrupulous party seeking to steal the user's login credentials, or even to hijack a login session.
The strength of a man-in-the-middle attack is such that a user will think that the MIM is in fact the online service provider's website, since all the information presented appears to be correct, and similarly, the online service provider will assume that it is communicating directly with the user since all of the login credentials are correct.
A man-in-the-middle attack is clearly an advanced form of attack that is capable of circumventing many two-factor authentication schemes which requires a user to submit additional authentication codes, because an unsuspecting user is unaware that they are actually submitting the additional authentication information through a man-in-the-middle.
There are presently a number of known countermeasures to the forms of identity theft described above, but most, at best merely offer a partial solution to the problem, are too cumbersome to implement, or are simply too costly. For example:                A spam filter is only good for blocking email-based phishing, but is ineffective against pharming.        A question and answer challenge response is still vulnerable to phishing because a user can through ignorance, be tricked into revealing such information.        Server identification by displaying a known secret text or image of the user does not prevent key-logging, and simply fails where there is a man-in-the-middle between the user and the online service provider's web server.        Token-based authentication (both hardware tokens and SMS-based tokens) prevent common phishing and pharming, but is still vulnerable to an advanced man-in-the-middle attack.        Client digital certificates and smart cards are strong authentication solutions, but these are also cumbersome to manage or costly to deploy on a large scale, when one considers the sheer numbers of internet capable devices in service which continue to increase exponentially, and the rapidly expanding connectivity and usage of the internet.        
WO 2007/050932 A2 discloses a method of controlling access to internet-based applications, specifically systems and methods for controlling access to internet-based applications through the use of out-of-band signaling, and, in particular, telephony networks. In WO 2007/050932 A2, the likelihood of fraudulent or unauthorized use of an internet-based application is reduced by giving a user the ability to enable or disable processing of their login credentials through the use of telephony.
The reliance of the disclosed systems and methods on telephony networks has the disadvantage of requiring a user to make telephone calls, thus incurring additional cost which may be particularly significant for a user who travels frequently. A further disadvantage is the need for a user to be familiar with or to memorize several code sequences, which may be considered problematic for some. Furthermore, the need to input a sequence of key-strokes requires more effort and is susceptible to a wrong digit being entered, which may result in system errors or at the very least, the need to repeat the procedure.
In view of the obvious disadvantages of the known countermeasures above, there is an unfulfilled need for a method of controlling access to an internet-based application to supplement a user's existing login credentials, which may be deployed at a wide scale and at an acceptable cost, and which offers an improvement over the prior art described above.